Re: Password Management Policy & Standards

[Brad Judy <brad.judy () CU EDU>]

If the password is used to control the second factor, then you don¹t have
a second factor.

Brad Judy
 
Information Security Officer
Office of Information Security
University of Colorado
1800 Grant Street, Suite 300
Denver, CO  80203
Office: (303) 860-4293
Fax: (303) 860-4302
www.cu.edu <http://www.cu.edu/>
 

 






On 2/26/16, 5:09 AM, "The EDUCAUSE Security Constituent Group Listserv on
behalf of Bradner, Scott" <SECURITY () LISTSERV EDUCAUSE EDU on behalf of
sob () HARVARD EDU> wrote:

> you could care if the password is compromised if the password is used to
> enable or otherwise
> control the 2nd factor
>
> Scott
>
> > On Feb 26, 2016, at 7:02 AM, Mark I. Berman <mberman () SIENA EDU> wrote:
> >
> > Joanna,
> >
> > So what you're saying is that the reason to expire passwords is to make
> > the accountants happy rather than any rational balancing of risk/reward?
> > I think I probably agree with you. We just had a discussion here about
> > whether we need to worry about password expiration and complexity so
> > much if we move to two factor authentication. One thing that was brought
> > up is that we might not even know if a password is compromised since the
> > bad-guy still wouldn't be able to get in, lacking the second factor. And
> > do we care at that point that the password was compromised.  Two factor
> > auth certainly seems to throw a monkey wrench into the question of how
> > important complex and frequently changed passwords really are!
> >
> > - Mark
> > --
> > Mark Berman, Chief Information Officer
> > Siena College
> > 515 Loudon Road
> > Loudonville, NY  12211
> > (518)782-6957,  Fax: (518)783-2590